Weaponise passwords to catch bad guys

I was looking at these fake sextortion emails the other day, after somebody told me that one had a correct password in it. (Sextortion: If that term isn’t clear, it can be messages that may look something like the following, and in these cases appear to come from your own email address):

My nickname on the darknet is <soon-to-be-dead> and people quake in their boots when they hear my name.

I hacked this mail address over six months ago. From it I took over your operating system with a trojan that I created. I’ve been watching you since then.

Your password for <kill-all-extortionists@smashtheirbrainsin.com> is <ultra-secret-password>

Even if you change that password, it makes no difference. I’m watching everything you do, with my NSA-ware and I have a record of all changes that you make.

I have access to everything on your computer and that you access with your computer or smart-phones. Social networks, email, browsing history, contact details, photos, videos, all of it.

I was particularly interested in the naughty sites that you sometimes visit. You have a very wild imagination, I tell you!

While you were there I filmed what you did with your own camera. Oh my god! You are so funny and excited!

I assume you don’t want everyone you know to get copies of this? If you don’t, I’m charging $<Some-Number> to destroy it all.

Send the above amount to my BTC (bitcoin) wallet: <Some-GUID> As soon as I get the money, I’ll delete the information.

Otherwise, I’ll send it to all your contacts.

I’ll know when you open and read this email. After that you have 48 hours to comply!

I hope I taught you a good lesson. Do not be so nonchalant, please visit only proven resources, and don’t enter your passwords anywhere! Good luck!

I decided to take a deeper look. A few minutes later I found another such email addressed to me. It had a password that looked plausible, though I didn’t specifically remember it. I decided to check, knowing full well, that a decent check could take a long time. I was very lucky and found the password quickly. It was only ever used once and I knew the site it was used on.

I found no reports of a breach on that site, so reported the problem to them.

That got me thinking. I was fortunate to find it quickly but it could have wasted a lot of my time. A lot of other people, who use unique passwords, aren’t going to look. Too much effort.

So what can be done to make password identification easy? Here’s one answer. Create a strong password then add something to it that identifies the site to you, and you alone.

You get another of those emails, or the worse things that may follow.

You know immediately where it came from.

You can take action.

For example:

A password of z%$YTflf,cS\y4GVlc"X

could become z%$YTflf,FBcS\y4GVlc"X, or FumbDuckerz%$YTflf,cS\y4GVlc"X or whatever will remind you it’s from Facebook

With something like that individuals can seize back a little control, and, maybe, help sites identify breaches more quickly.

Notes:

Password systems are designed in different, odd and often inexplicable ways. Many have their own rules, many bad, for what constitutes a good password. Your identification system must fit in with what you find.

2. Some systems have limited password length

Your identification may need to be quite short to still give you a decently strong password if the size is very limited

3. Some password systems change the capitalisation of your password

This has got to be one of the stupidest things ever, but it does happen. I suggest you don’t accommodate such silliness in your identification scheme, and figure out what to do when you encounter it. One suggestion: don’t use sites that are this silly, if you have a choice.

I’ve seen evidence that this can happen. Your scheme, maybe, shouldn’t depend on capitalisation.

5. Password entries often fail to tell you, in advance, what characters they will and won’t accept

You may need to test a bit.

6. You may use the same password on another site.

If you do that, and continue to do it, this idea is not for you.

7. Check your password store, to establish how you can look things up

Password stores generally don’t allow you to search by password. It’s worth checking whether that is the case. If you can search your store, you could avoid making the password identifiable. Making the password identifiable would still be useful though, you wouldn’t need to search.

8. A minimal identification system

An easily readable identifier may be your preferred approach. Where you can’t do that (like limited length) you might want a compact ID system. One idea is to use an identifier like a7 or b3z. That’s a “number” made up from “digits” taken from “abcdefghijk…uvwxyz23456789”, which you use to create a unique “number” for each site. You keep a note of that. (Case insensitive, 0 and 1 missing as they can be confused.)

9. Updating

When updating a password remember your scheme.

10. Identifier plus standard ending

It would be possible to use an identifier plus a standard ending as your password. This would still give unique passwords but they aren’t as strong as can be. I don’t recommend it.

11. Uncontrollable passwords

Sometimes passwords are out of your hands, you don’t create them yourself. If you encounter that, I think it’s rare, you will still find it easier to track down breaches. If most of your passwords are easily identifiable, you only need to check a few exceptions, should you ever get them.

12. People asking for password and security details

When you find a breach you may find people asking you to give them your, now changed, password and all sorts of details. I recommend that you don’t. Firmly decline their requests. Forums, emails, Social Media and all the rest are not secure and the web has a lot of malevolent people. Don’t give them information that might be used against you. (Where you need to communicate sensitive information, consider being able to encrypt and decrypt messages. You may then be able to talk more safely with selected people. This can even be done using normal, unsafe, email.)